parallax | cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe
Size

350KB
MD5

0042ed673ace6ada1be98d420fd4b20d
SHA1

ddb1c86576679bebeeacccbb5bd0abd3f3700b7a
SHA256

cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb
SHA512

5beac2451ab5f589989c50dafb0efff8221b4cd96929652acb9ae442b8f685eb493e3cc2a5eadc491de4eb9a160a1cc84b4e73d718e5632675fa3546be1a7f4d

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 2 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/4776-152-0x0000000000400000-0x0000000000429000-memory.dmp	parallax_rat
behavioral2/memory/4776-153-0x0000000000400000-0x0000000000429000-memory.dmp	parallax_rat

Blocklisted process makes network request 57 IoCs

flow	pid	Process
22	4776	cmd.exe
24	4776	cmd.exe
26	4776	cmd.exe
29	4776	cmd.exe
31	4776	cmd.exe
33	4776	cmd.exe
37	4776	cmd.exe
40	4776	cmd.exe
42	4776	cmd.exe
44	4776	cmd.exe
46	4776	cmd.exe
48	4776	cmd.exe
50	4776	cmd.exe
52	4776	cmd.exe
54	4776	cmd.exe
56	4776	cmd.exe
58	4776	cmd.exe
60	4776	cmd.exe
64	4776	cmd.exe
66	4776	cmd.exe
68	4776	cmd.exe
70	4776	cmd.exe
72	4776	cmd.exe
74	4776	cmd.exe
76	4776	cmd.exe
78	4776	cmd.exe
80	4776	cmd.exe
82	4776	cmd.exe
84	4776	cmd.exe
86	4776	cmd.exe
88	4776	cmd.exe
90	4776	cmd.exe
92	4776	cmd.exe
96	4776	cmd.exe
100	4776	cmd.exe
102	4776	cmd.exe
104	4776	cmd.exe
106	4776	cmd.exe
108	4776	cmd.exe
110	4776	cmd.exe
112	4776	cmd.exe
114	4776	cmd.exe
116	4776	cmd.exe
118	4776	cmd.exe
120	4776	cmd.exe
122	4776	cmd.exe
124	4776	cmd.exe
126	4776	cmd.exe
128	4776	cmd.exe
130	4776	cmd.exe
132	4776	cmd.exe
134	4776	cmd.exe
136	4776	cmd.exe
138	4776	cmd.exe
140	4776	cmd.exe
142	4776	cmd.exe
144	4776	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4580	guessing.exe

Loads dropped DLL 1 IoCs

pid	Process
4580	guessing.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\completedir\	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	guessing.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4580	guessing.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4580	guessing.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 4580	3384	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	83
PID 3384 wrote to memory of 4580	3384	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	83
PID 3384 wrote to memory of 4580	3384	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	83
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84
PID 4580 wrote to memory of 4776	4580	guessing.exe	84

C:\Users\Admin\AppData\Local\Temp\cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe
"C:\Users\Admin\AppData\Local\Temp\cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\guessing.exe
  C:\Users\Admin\AppData\Local\Temp\guessing.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Builtin

Filesize
163KB

MD5
261c683eb0fba130299bf273ad91b975

SHA1
49c25a2d2b335d5eb700e8d3e4fc43aa8ceeaa4c

SHA256
a0f9bef2c730a376cb50bdbea423f7de3b647f45ef003d52cf7620e695d08e75

SHA512
f0bdc17cd8055ff39e587476d6719cd77dae1a63b005be25b0492dfa89f00777c679a3f7065b3ea05716e1d2ac5933e349b279e8b3a493d19ca2a333a783edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeeveBandsman.DLL

Filesize
100KB

MD5
9d7c1c86f699f3299e0c99d19c74a9c5

SHA1
fd2516877080db1da99b0928659920652c153415

SHA256
e64593a325db15dfa270c34307811946f10871ea0351ce40c45235d295150535

SHA512
5db3d4cbd8e1101e81377e6d00e963af29821f4349ef3cbf877ab85afae1cea21a12674fa7d42fe922f146f8e51c9df915188496d0095d1c675653570eadae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeeveBandsman.dll

Filesize
100KB

MD5
9d7c1c86f699f3299e0c99d19c74a9c5

SHA1
fd2516877080db1da99b0928659920652c153415

SHA256
e64593a325db15dfa270c34307811946f10871ea0351ce40c45235d295150535

SHA512
5db3d4cbd8e1101e81377e6d00e963af29821f4349ef3cbf877ab85afae1cea21a12674fa7d42fe922f146f8e51c9df915188496d0095d1c675653570eadae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\guessing.exe

Filesize
40KB

MD5
41a4bc59882726d6d5f492e5d4c9e0ba

SHA1
6da4ec61d8d63e177db748f711c047bebd86bdb9

SHA256
f03c91d1d1e6cf12570e38c277b9726715dbdaafed7ada1d3bbc086547616315

SHA512
0a666c4c0316bf788f5cacb2ebfcb50f65daf7843617afea58ae4134ff14061fb6e67247411ab9dc7133a824c6fabfbec6e6de4c94f21c8dbea83e3e10cb13de

Download Submit
C:\Users\Admin\AppData\Local\Temp\guessing.exe

Filesize
40KB

MD5
41a4bc59882726d6d5f492e5d4c9e0ba

SHA1
6da4ec61d8d63e177db748f711c047bebd86bdb9

SHA256
f03c91d1d1e6cf12570e38c277b9726715dbdaafed7ada1d3bbc086547616315

SHA512
0a666c4c0316bf788f5cacb2ebfcb50f65daf7843617afea58ae4134ff14061fb6e67247411ab9dc7133a824c6fabfbec6e6de4c94f21c8dbea83e3e10cb13de

Download Submit
memory/4580-143-0x00007FF832D90000-0x00007FF832F85000-memory.dmp

Filesize
2.0MB

Download
memory/4580-136-0x00000000004B0000-0x00000000004B7000-memory.dmp

Filesize
28KB

Download
memory/4580-142-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/4580-144-0x0000000002050000-0x0000000002071000-memory.dmp

Filesize
132KB

Download
memory/4776-146-0x00000000008E0000-0x00000000008E6000-memory.dmp

Filesize
24KB

Download
memory/4776-147-0x00007FF832D90000-0x00007FF832F85000-memory.dmp

Filesize
2.0MB

Download
memory/4776-152-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4776-153-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download